Why SharePoint Fails to Support ERM
Steven Minsky | Feb. 18, 2014
While SharePoint is a good tool for file storage, it falls significantly short of delivering the capabilities a risk manager needs to analyze trends and see the relationships the job requires.
Cost & Innovation
SharePoint on the surface may look like an inexpensive solution versus commercial ERM software, however the hidden cost of IT development is rarely understood until too late. To make a SharePoint project useful, a minimum of $150,000 in labor alone invested over 2 years is required for small to mid-sized businesses, even for the most modest attempts to internally develop, test and support a software infrastructure for ERM. This investment is often much greater for larger organizations (greater than 1000 employees).
ERM software vendors invest millions of dollars in their product development, have the benefit of 10 years of business requirements definition, and thousands of experienced risk managers providing feature recommendations. Software companies can then distribute this cost over its entire customer base and have access to the many ways organizations are actually using the software to shape the functionality over time to incorporate evolving best practices to support an effective and efficient ERM program.
These costs do not include the time of business users in the business requirements gathering process or consultants on risk management best practices inquiries. Worst of all, how will risks be managed during this time when your organization is tied up with software development rather than focusing on their core area of business?
Engagement of Others
Risk management is an iterative process that requires collecting a great deal of information to glean the necessary insights. An ERM program is only effective if regular folks throughout the business use it!
So the true insidious cost of an internally developed SharePoint attempted ERM solution is the lost time and energy of that results when IT developers without risk or business backgrounds attempt to deliver a tool for business users without the prerequisite experience to do so. The result is a solution that no normal business user can understand. Without the engagement of managers to participate in assessments, there is no meaningful data for an enterprise risk management program manager to analyze.
Not only does SharePoint impede the process of combining data into a coherent big picture, it also means any changes to data structure becomes a great undertaking. Dependent on SharePoint and spreadsheets, risk managers will spend countless hours validating data, double-checking formulas, and updating values instead of spending that time on much needed evaluation and mitigation.
Risk analysis is not a static process; it’s dynamic and highly strategic. Assessment structure, information, and the people involved evolves over time as management’s requirements and priorities change.
SharePoint and spreadsheets, however, are static. With each change to a spreadsheet or SharePoint site, links between information are lost making it very difficult to analyze relationships over time. Without these relationships, how will you link risks and their controls to your organization’s strategic goals?
What’s worse, SharePoint and spreadsheets can actually limit the depth of risk analysis. You can only analyze the relationships your risk tools can uncover. Spreadsheets offer limited access to past and current data, you cannot easily aggregate and dissect information, and they require a high level of technical knowledge to compare data over time.
Simply put, spreadsheets and SharePoint prevent an understanding of the dependencies and consequences between departments, processes, and strategic goals. Without these connections it’s impossible to see how multiple risk can come together to create a disaster like the BP oil spill or the Japanese nuclear crisis.
Risk management isn’t something that can be done in isolation. The information risk managers collect and analyze needs to be accessible to the rest of the organization. SharePoint does not have sophisticated reporting capabilities, called business intelligence software, to share information with management or other support functions that could benefit from that data.
The result is a risk management function without support from management and an organization with an abundance of duplicate tests, controls, and information. Risk managers need to be able to aggregate and access information across business silos and multiple levels in order to engage the right people with the right information.
Risk management requires dynamic tools that can organize and link data automatically, analyze dependencies and consequences enterprise-wide, and be accessed by decision makers and other silos.
The solution is ERM software with a robust risk taxonomy that can organize risk-information all in one place, link the relationships between data, and be accessible to the rest of the organization. Identify duplicate tests and controls, uncover the complex relationships between risks, and make that information accessible to decision-makers with one shared risk management platform.